From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
Subject: | pgsql: Remove misguided SSL key file ownership check in libpq. |
Date: | 2022-05-26 18:14:26 |
Message-ID: | E1nuI09-001GeI-Ql@gemulon.postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-committers |
Remove misguided SSL key file ownership check in libpq.
Commits a59c79564 et al. tried to sync libpq's SSL key file
permissions checks with what we've used for years in the backend.
We did not intend to create any new failure cases, but it turns out
we did: restricting the key file's ownership breaks cases where the
client is allowed to read a key file despite not having the identical
UID. In particular a client running as root used to be able to read
someone else's key file; and having seen that I suspect that there are
other, less-dubious use cases that this restriction breaks on some
platforms.
We don't really need an ownership check, since if we can read the key
file despite its having restricted permissions, it must have the right
ownership --- under normal conditions anyway, and the point of this
patch is that any additional corner cases where that works should be
deemed allowable, as they have been historically. Hence, just drop
the ownership check, and rearrange the permissions check to get rid
of its faulty assumption that geteuid() can't be zero. (Note that the
comparable backend-side code doesn't have to cater for geteuid() == 0,
since the server rejects that very early on.)
This does have the end result that the permissions safety check used
for a root user's private key file is weaker than that used for
anyone else's. While odd, root really ought to know what she's doing
with file permissions, so I think this is acceptable.
Per report from Yogendra Suralkar. Like the previous patch,
back-patch to all supported branches.
Discussion: https://postgr.es/m/MW3PR15MB3931DF96896DC36D21AFD47CA3D39@MW3PR15MB3931.namprd15.prod.outlook.com
Branch
------
REL_12_STABLE
Details
-------
https://git.postgresql.org/pg/commitdiff/01ab9fb7dee5f9445bae94a942afb6ee9bcccd4f
Modified Files
--------------
src/backend/libpq/be-secure-common.c | 5 +++--
src/interfaces/libpq/fe-secure-openssl.c | 34 ++++++++++++++++----------------
2 files changed, 20 insertions(+), 19 deletions(-)
From | Date | Subject | |
---|---|---|---|
Next Message | David Rowley | 2022-05-26 22:39:29 | pgsql: Teach remove_unused_subquery_outputs about window run conditions |
Previous Message | Robert Haas | 2022-05-26 16:57:12 | pgsql: In CREATE FOREIGN TABLE syntax synopsis, fix partitioning stuff. |